Subject: bin/23167: login(1) skey prompt does not comply with RFC2289
To: None <>
From: None <>
List: netbsd-bugs
Date: 10/16/2003 00:18:08
>Number:         23167
>Category:       bin
>Synopsis:       login(1) s/key prompt does not comply with RFC2289
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 16 05:19:00 UTC 2003
>Originator:     Dave Huang
>Release:        NetBSD 1.6ZC
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 27 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
System: NetBSD 1.6ZC NetBSD 1.6ZC (YERFABLE) #200: Sat Oct 4 00:54:49 CDT 2003 alpha
Architecture: alpha
Machine: alpha
	The s/key prompt issued by login(1) looks like this:

Password [otp-md5 94 yerf08320]:

However, RFC2289 says that "...the entire challenge string MUST be
terminated with either a space or a new line."

See bin/14848 <>
where ftpd was doing the same thing (ftpd has since been fixed and the
PR closed).

	Telnet to a system using s/key OTPs and log in.
Index: login.c
RCS file: /cvsroot/src/usr.bin/login/login.c,v
retrieving revision 1.74
diff -u -r1.74 login.c
--- login.c	2003/08/26 16:48:33	1.74
+++ login.c	2003/10/16 05:16:36
@@ -422,7 +422,7 @@
 			const char *skinfo = skey_keyinfo(username);
 			(void)snprintf(skprompt, sizeof(skprompt)-1,
-			    "Password [%s]:",
+			    "Password [ %s ]:",
 			    skinfo ? skinfo : "error getting challenge");
 			pwprompt = skprompt;
 		} else